Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

Are Hotlinked Images Now a Liability? 57

Posted by Cliff from the watch-out-for-evil-avatars dept.
ConcernedImage asks: "I work for a company that has a strong online community, with a full set of message boards that currently allow external image hotlinking. With the new WMF exploit out there, all it takes is one user to link to a bad image, and suddenly it's -our- web site inflicting the computers of others (at least, as far as our users are concerned). Is allowing hotlinked images a legal liability now? What steps are other online communities taking to protect themselves and their users against this?"
This discussion has been archived. No new comments can be posted.

Are Hotlinked Images Now a Liability? More

Are Hotlinked Images Now a Liability?

Comments Filter:
  • I believe that's the technical definition of stupid.
    • The WMF vulnerability applies to any image displayed by internet explorer. It uses inspection rather than extension to figure out the file type.
    • How are you supposed to tell? It's one thing to check file extensions, but you could still have something sending a different Content-Type: via CGI, or an HTTP redirect, or something. Does this mean that you should check every image hotlinked by users' code for safety? What if the image is subsequently changed? What if it triggers an exploit in your checking library? It's all very troublesome. Maybe you should download the image in question and check it and refer users to the downloaded version instead of
      • Since the question is basically about what a online community / forum can do to not be liable for the damage done by a hotlinked image, the simplest solution would be to block allow people to hotlink images however to not show them to the viewers of the page by default but to give them a option which they can enable (after agreeing to a disclaimer) which will dislay the hotlinked images in the page/site. this is pretty much the same concept which is used by email clients to disable tracking images which com

  • Hotlinked images always were a liability (Score:5, Insightful)

    by bartjan ( 197895 ) * <bartjan&vrielink,net> on Friday January 06, 2006 @07:13PM (#14413098) Homepage
    Hotlinks always were a liability, or at least have been from the moment the goatse domain was registered...
  • Uh... not allow hotlinking to wmf files?
    • There is no way to tell.

      Check the filename? Ok the malicious webserver will lie about the filename vs the mime type.
      Check the file itself? Ok, now the malicious webserver just serves different files for different sources.

      There's no automatic way to prevent wmf files from being linked to, which is what the whole point of TFA is.
      • Accept no new external image src= links until after a fix has been pushed out over Windows update? Maybe require all forum sig images to be hosted by you?

      • There's no automatic way to prevent wmf files from being linked to, which is what the whole point of TFA is.

        Have the forum automatically retrieve a copy of the image from the URL entered.

        Automatically reject the image if it is of a different type than claimed, is too big, is a WMF, doesn't exist, etc...

        Automatically repeat the check on a periodic basis: and automatically remove the image if it changes.

        Remove image-posting privilege or ban from the forum anyone whose image submissions are

        • Re:Captain Obvious Raises His Hand (Score:1, Informative)

          by Anonymous Coward
          Isn't it risky having your webserver automatically hit a file that is specified by a user? A user that is clearly untrusted as you are needing validation of all the image.

          Will your site be obeying robots.txt? If so then validation is pointless just add deny line into robots.txt. Some sites don't appreciate being hit by half the webservers in the world at once because someone added there image to a forum. Couldn't this be used as a way of launching DDOS attacks against any webserver that hosts an image?

          You s

  • Taking steps? (Score:3, Interesting)

    by Schezar ( 249629 ) on Friday January 06, 2006 @07:14PM (#14413105) Homepage Journal
    What steps are other online communities taking to protect themselves and their users against this?"

    Using Linux? Using a Mac?

    I kid. But seriously, the issue is PC security, not server security. If your PC is vulnerable to an exploit simply for viewing an image, the problem is YOURS, not the server that happens to link to an image that happens to use that exploit.

    • Yes, but if it does affect 99% of your users, and people trust your site not to be malicious so they keep coming, but you allow random people to post images to your forums... turning that off for now seems like a good idea to me.

      • 99%? 1997 called; they want their browser statistics back.

        Besides, it's Microsoft's fault for the WMF format, allowing this exploit to be used, not patching it quickly, and many other problems regarding MSIE. If they aren't liable for the WMFs, nobody but the users who post them are.

        • 99%? 1997 called; they want their browser statistics back

          It's a Windows flaw, not a IE flaw. Firefox is vulnerable too.

          • "It's a Windows flaw, not a IE flaw." Agreed, you can trigger the code by entering a directory with File Explorer. Parsing to build thumbnails is enough. Clicking on the file (say to look at "properties", or to delete it) can also trigger it.
          • You can't be infected with Firefox just by viewing a webpage. You have to be stupid enough to be download and run the infected file.
    • When you detect a Windows system give them a different app that strips out all the images for thier own safety and inform them of the fact (also mention that accessing the site via Mac or Linux, being more secure, allows image viewing). Why hide the fact from the user, it's thier computer at risk.

  • It's like asking... (Score:3, Insightful)

    by toddbu ( 748790 ) on Friday January 06, 2006 @07:15PM (#14413118)
    if someone steals your gun and kills someone, are you liable? It's unlikely that you'd be liable, but it's really up to the people doing the decision making. Always make sure you have a good lawyer, just in case.
    • While the website owner may not be legally liable there is the concern that customers/visitors/users/etc. of the website will not distinguish between hotlinked images and images hosted by the company. Those people that visit the website for [big web company] and get attacked by a virus will not care or bother to investigate if the image hotlinked or not - they will simply think that [big web company] has a crappy, insecure, unsafe website. Sure, you may not be liable for the damages (but, really, who in t
      • This problem exists for sites that display ads from third parties as well. A site I know was surprised to find out that a third-party ad provider was negligently letting their advertisers serve content that tried to exploit IE in order to install spyware. Needless to say, this company immediately terminated its relationship with the third-party provider. However there are lots of times when it's extraordinarily useful to allow users to link to or upload content for other users to see.

        Take Flickr for exam
    1. Disable external image linking.
    2. Tweak your forum software to only allow hotlinks to .gif, .jpg and .png.
    3. Remind your users that your company is not responsible for what people post to the forum.

    I suppose you could always cache the images people link to in order to virus-scan them, but that seems really time- and space-consuming.

    • Re:I see three options: (Score:3, Informative)

      by WTBF ( 893340 )
      2. Tweak your forum software to only allow hotlinks to .gif, .jpg and .png.

      The exploit worked even if the files had the wrong extension (of gif, jpeg etc).

    • Tweak your forum software to only allow hotlinks to .gif, .jpg and .png.

      That's impossible. You might be able to restrict it to images with URIs ending in those extensions, but extensions are largely irrelevant to the WWW, it's the Content-Type header that matters, which can't be checked because the person serving it can change it at any time. To add to the complication, because of the way many browsers are implemented, even if you could enforce the Content-Type restriction, the browsers would ignore

      • You might be able to restrict it to images with URIs ending in those extensions, but extensions are largely irrelevant to the WWW, it's the Content-Type header that matters, which can't be checked because the person serving it can change it at any time.

        I know it wouldn't do much good for precisely that reason, but it would take care of accidental links to the malicious images.. say someone makes one of these WMFs of something cute. Some granny with enough ability to upload images to a server (I was goin
        • But it wouldn't "take care of accidental links to the malicious images" because "someone makes one of these WMFs of something cute. Some granny with enough ability to upload images to a server" will upload the .gif, or .jpg, or whatever extension is used. How is she going to tell it is *not* a .gif, or .jpg? Hexedit?
      • I think the severe problem here was that regardless of the content-type header, Internet Explorer would still recognize the signature at the beginning of the file as WMF and therefore display it as WMF.

        Is there any canned code to verify that an image is in WMF format? It seems to me that there's no reason not to ban WMF uploads since I can't think of the last time I heard of someone actually wanting to use that file format for its charactertistics.

        D
    • You should probably be doing #3 anyway, but:

      4. Have your users upload their images to your server, only supporting format(s) that can be verified as being what they claim and cannot directly execute scripts like WMF files can (GIF, JPEG, ...). Politely refuse to accept images that are *not* what they claim; Joe might have saved a GIF document with a .JPG extension by mistake after all.

      Now that does not preclude there being some means of exploiting the relevent image handler on the web browser's PC to e

      • Have your users upload their images to your server, only supporting format(s) that can be verified as being what they claim and cannot directly execute scripts like WMF files can (GIF, JPEG, ...).

        Yeah, but the interface for doing that is always pretty kludgy, from what I've seen.. but that was my point behind caching the images that people link to. You could do it entirely transparently and ensure that the images are safe... it's just a matter of providing enough space.
        • caching the images that people link to. You could do it entirely transparently and ensure that the images are safe... it's just a matter of providing enough space.

          The problems now become: your bandwidth, your potential copyright violation, your disk space and processing time, your risk if there's an image-based exploit on your image-checker (always a remote possibility)... and in many of the random phpBB communities and such on the Web, all those are in short supply- and moreover, many of them have users w

          • your bandwidth
            ..Oh yeah, I forgot how expensive traffic is..

            your potential copyright violation
            I don't know, if you disclaim responsibility for what people post, you could make a case that the poster is the copyright violator because they weren't given a licence to distribute the material and that your server merely did as it was told, on the assumption that the poster did have the licence.

            your risk if there's an image-based exploit on your image-checker (always a remote possibility)
            True, but a
    • You want to craft a wmf thats shows this url http://www.microsoft.com/technet/security/Bulletin /MS06-001.mspx [microsoft.com] to users in need of help. Might oper for more legal trouble though...

  • Y!PP did block inline images (Score:4, Interesting)

    by Scarblac ( 122480 ) <slashdot@gerlich.nl> on Friday January 06, 2006 @07:29PM (#14413222) Homepage

    The forums of Puzzle Pirates switched off all images when it became clear how bad this exploit is. They later turned back on avatars, since they're checked by the server (only accepts JPEGs and GIFs of a certain max size, and then stored server side, as far as I know).

    The original announcement said they'd be back when Microsoft release their official patch, but I think PP is giving everybody time to patch first.

  • You want and need good legal advice. That can only be given by apocryphal competant lawyers.

    IANAL, but IMHO you most definitely are liable for unusual hazards to present to visitors. I'm not sure how you avoid liability for libel and copyright violations except perhaps by prompt action. Common-carrier is not common-storer, although public warehouses have existed for centuries.

    Here, it is very easy for you to wrapper IMG tags to require a click, and maybe tag them with source URL for those many lusers w

  • You see, even if you did disable hotlinking to images, someone could just as easy post a link to a picture on another server naming it other then WMF. And say check out this cool picture. Granted the user has to click on the link then, but tell me most users don't do that anyway?

    Also, what about javascript? All the script has to do is call for the image to be loaded, not even displayed. The problem is much larger then just stopping sites from hotlinking images.

    Your question is that it's a liability, I w

    • You see, even if you did disable hotlinking to images, someone could just as easy post a link to a picture on another server naming it other then WMF. And say check out this cool picture. Granted the user has to click on the link then, but tell me most users don't do that anyway?

      Certainly it's not efficient to check all the time in advance - or else, the only plausible strategy is to cache - that way you can guarantee the content being delivered. Now what precautions are reasonable?

      Also, what about javas

  • i know, theres a lot of restrictions on what images can do and not included files, but i mean, images can do a lot of things. not only are there vulnerabilities in actual image files themselves, but its easy to create a php file with the extension ".png" and headers telling the browser it's a png file. then you just make sure you render a png image as the end result when the script is embeded with an image tag, and in between that you can do a lot of things. you can get IP addresses and other information an

  • Great (Score:2, Insightful)

    by sharkey ( 16670 )
    With the new WMF exploit out there

    There's a new WMF exploit out to take the place of the one patched yesterday?

    • No, but you can't be sure that everyone patched themselves. I mean, maybe you can on Slashdot, but certainly not on half the random phpBB user communities across the web.
  • I can understand why you'd be concerned about the possiblity of your website serving exploit code to unsuspecting users. However, I'd like to point out that the problem is not unique to your site, nor does it only affect sites that allow users to post images. I've posted a writeup [blogspot.com] about a security incident I investigated that involved a malicious WMF being distributed through syndicated advertisements, and I know the same thing happened when the GDI vulnerability was discovered. The bottom line is that i
  • Microsoft released a patch for this. Try again, Slashdot.

    • Re:Patch is out there. (Score:3, Insightful)

      by mh101 ( 620659 )
      Doesn't mean every Windows PC out there will be magically patched within 24 hours... even with automatic updates turned on, it's still not like Windows is checking every 5 minutes for new patches.

      • How about this: On any page which hosts images, add a link to a WMF file with the patch. That way the first time someone opens the page in an exploitable program, the patch is applied automatically and the remaining images can't cause any damage.

        Only partly joking...

  • The WMF bug was a big disaster (Score:3, Insightful)

    by SmallFurryCreature ( 593017 ) on Saturday January 07, 2006 @03:19AM (#14415573) Journal
    Sadly MS handling of it was typical and the windows user reaction to it was typical as well.

    I am of course a geeky nerdy never washing never getting laid linux user who hasn't had to worry about security alerts at all in 2005 (Check somebody elses post in one of the CERT stories where he shows that there have been no cyber alerts for linux in 2005) the last I think was in 2004 or 2003 relating to opensll or ssh.

    MS response was idiotic and shows they totally do not care about their customers. In the best case they should have made it very clear to every windows user that browsing the net was dangerous and put out a simple patch that disabled WMF completly or at least put up a warning before a wmf like file is accessed even if it is a WMF disguising itself as a jpeg.

    Oh but this could break existing products? WHO THE FUCK CARES? It is like worrying that cutting off the electricity and gas after an earthquake is going to make your icecream melt. The WMF exploit is a disaster and that means it is time for drastic measures.

    Windows users should have been up in arms. Browsing the internet became a no-no even with non-porn sites. Only thing that has to happen is 1 person on forum having a exploit for their avatar image and bang.

    I have seen several people being affected by this exploit. Sure some were stupid free porn sites surfers but not all of them. Just normally using their computer and BAM. Infected.

    We have been getting a lot of comments from MS fanboys about how much stabler XP is and that MS is getting a lot more serious about security. HA. This WMF thing has shown that MS is still the same MS of old. Nothing has changed. A full week to patch exploit affecting all your users and the all the MS fanboys can do is sputter "They had to test it" yeah right. Oh well at least it seems that this time the patch actually works. That gotta be a first.

    Oh well now to answer your question. There is nothing to do here but disable unchecked content on your website. That means you gotta host every image yourselve and make sure you check that it is what it claims to be in your upload code.

    The MS patch won't change a fucking thing. An awfull lot of MS users never patch up so this WMF exploit will be with us as long as that code red crap and every other windows exploit. If I am ever diagnosed with an incurable disease and only have a few weeks left, gates is going to get a bullet in the head.

    • ... gates is going to get a bullet in the head.

      Don't leave Ballmer out of this. Save a cartridge for him: any number of Slashdotters would be willing to provide a spare bullet ... maybe even two (you know, just to be sure.) Although, now that I think about it, I'm not entirely sure that a wooden stake wouldn't be more appropriate.
  • *cue piano*

    'F' is for the Fear you won't have anymore.
    'I' is for the Internet you love to peruse.
    'R' is for the redundant mod this post will score.
    'E' is for the Explorer you'll no longer use.
    and..
    'F' is for the Favorite of so many on the Net!
    'O' is for the Open Source in "FOSS"!
    'X' is for the Xtra plugins you're bound to get.
    And that spells "FIREFOX": http://www.firefox.org/ [firefox.org]Tell your boss!

Slashdot Top Deals

An authority is a person who can tell you more about something than you really care to know.

Close